Knowledge Base::DBSA:2015-0001

Views

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Who should take note: All Puush Users, especially users of Puush Windows client

Classification

Priority: HIGH

Rationale: Confidential user data on infected systems may be compromised, it is essential to limit the scope of compromised data.

Severity: MODERATE

Rationale: Malware is a trojan horse that may download and install additional malware. User internet traffic may be compromised with malware present.

Spread of Issue: SINGLE-PLATFORM MODERATE

Rationale: Puush.me is a fairly known service.

Description

Puu.sh aka Puush.me aka Puush is a file sharing and distribution service that users may easily upload files from their computers and make them available to others. The service is targetted toward media sharing. There has been recently an incident whereas an update uploaded to the vendor's servers had been contaminated or otherwise compromised that resulted in malware being included in an update issued to users. This malware is known as QVM03.0.Malware and has been identified to contact foreign servers and tamper with proxy server settings, file extensions and install additional malware.

The Puush service itself is not believed to be compromised as a result of this incident, but the front-end webserver has been confirmed to had been compromised.

(Following only listed here for reference, skip to bottom for Mitigation/Solution)

As per the analysis, the malware contacts a Russian server, potentially a botnet Command and Control instance or a receiver for identity theft purposes:

Mitigation/Solution

The vendor has issued a secondary update that removes the malware, however it is strongly advised to scan with a full antimalware software such as MalwareBytes (https://www.malwarebytes.org/) for any additional malware as the included update fix and traditional antivirus may not detect all malware. The download and use of Adwcleaner (http://www.bleepingcomputer.com/download/adwcleaner/) may also be performed to identify if any additional tampering has been performed. It may also be advised to change passwords stored in password managers and entered while this update was in place.